[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
dave at cridland.net
Tue Sep 11 18:51:40 UTC 2007
On Tue Sep 11 17:20:24 2007, Ian Paterson wrote:
> Peter Saint-Andre wrote:
>> Back in August I emailed about this issue  with the IETF area
>> directors for applications and security, relevant WG chairs, and
>> interested others. The conclusion was that in rfc3920bis we would
>> the following changes to the mandatory-to-implement technologies:
>> 1. Remove DIGEST-MD5
FWIW, I would say that we should try to keep DIGEST-MD5 mentioned
LDAP has done this change, I believe, so I'll ask Kurt what was done
there. SMTP AUTH had the interesting case where CRAM-MD5 was popular,
but it had *no* MTI, so the new SMTP AUTH, although with the now
traditional MTI of TLS+PLAIN, has an informative "MAY implement
CRAM-MD5", with the CRAM-MD5 as an informative reference.
There's also the downref experiment, whereby we could raise
DIGEST-MD5 to a SHOULD, and a normative reference, which is also an
option. It requires more process wonkage, though, but the APPS ADs
should be able to help there.
> I strongly disagree. Restrained (Web) clients can't implement TLS
> over TCP/IP. So without DIGEST-MD5 the passwords would end up being
> transmitted in the clear!
Yes, but they're not acting as fully conformant RFC3920bis
implementations, then. :-)
> Even where TLS is available, SASL PLAIN requires server operators
> to keep copies of all users' passwords. This is a serious (and
> often unnecessary) security weakness.
No, it doesn't. You can implement SASL PLAIN by comparing hashes
internally, that's fine. No need to have a plaintext equivalent, let
alone a cleartext password, on the server.
You do have to send the password clear to the server, so there are
potential MITM issues - you don't want to be sending your password
unless you really know you're talking to the right endpoint.
Hopefully TLS certificate validation provides sufficient server
authentication that you'll avoid this, but it still unnerves me.
> TLS + DIGEST-MD5 is stronger than TLS + SASL PLAIN
Yes, but it's harder to implement, etc.
If I ruled the world, I'd mandate TLS+SCRAM, and have a SHOULD for
TLS+YAP (the latter being plaintext-equiv on the server, but only a
single round-trip, so great for mobiles).
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards